# Corrosion NATS Configuration
# JetStream enabled for persistent messaging

listen: 0.0.0.0:4222

# JetStream configuration
jetstream {
    store_dir: /data
    max_mem: 256MB
    max_file: 2GB
}

# WebSocket listener for frontend real-time updates
websocket {
    listen: "0.0.0.0:9222"
    no_tls: true  # TLS terminated at Nginx/Cloudflare
}

# HTTP monitoring
http: 0.0.0.0:8222

# Logging
debug: false
trace: false
logtime: true

# Limits
max_payload: 8MB  # Support map file transfer metadata
max_connections: 10000

# Authorization — per-license isolation.
# The committed nats-auth.conf is the SAFE OPEN default (anonymous full access,
# no secrets — same as before). On deploy, scripts/generate-nats-auth.mjs
# regenerates this file from the licenses table with the privileged internal
# user + per-license scoped users; flip NATS_AUTH_STAGE=enforce to reject
# anonymous. The host copy carries secrets and is NOT committed
# (git update-index --assume-unchanged docker/nats-auth.conf).
include "nats-auth.conf"